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Report of Independent Accountant 

To the Management of CERTISIGN CERTIFICADORA DIGITAL - Certificate Authority: 

We have examined the assertion by the management of Certisign Certificadora Digital (CERTISIGN-CA 1 ), that 
in providing its Certification Authority (CA) services in Brazil, during the period January 1 st , 2015 through 
December 3 1 st 20 1 5, it: 


• Disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management, and CA 
Environmental Control practices in its 

o Certification Practice Statement, and 

o Certificate Policy 

• Maintained effective controls to provide reasonable assurance that: 

o CERTISIGN - CA’s Certification Practice Statement is consistent with its Certificate Policy 

o CERTISIGN - CA provides its services in accordance with its Certificate Policy and 
Certification Practice Statement 

• Maintained effective controls to provide reasonable assurance that: 

o The integrity of keys and certificates it manages is established and protected throughout their 
life cycles; 

o The integrity of subscriber keys and certificates it manages is established and protected 
throughout their life cycles; 

o The Subscriber information is properly authenticated (for the registration activities performed 
by CERTISIGN - CA); and 

o Subordinate CA certificate requests are accurate, authenticated, and approved 

• Maintained effective controls to provide reasonable assurance that 

o Logical and physical access to CA systems and data is restricted to authorized individuals; 

o The continuity of key and certificate management operations is maintained; and 

o CA systems development, maintenance, and operations are properly authorized and performed 
to maintain CA systems integrity 

• Disclosed its SSL certificate Life Cycle Management Business Practices in its Certification Practice 
Statement and Certificate Policy including its commitment to provide SSL certificates in conformity 
with the CA/Browser Forum Guidelines on the CERTISIGN-CA website, and provided such services 
in accordance with its disclosed practices 

• Maintained effective controls to provide reasonable assurance that: 


1 During our audit procedures, we verified that, according to Certisign Certification Practice Statement “CPS”, when 
providing server Certificates, Service Centers (CERTISIGN-CA) becomes RA within the STN “Symantec Trusted 
Network” for a Symantec CA issuing server certificates. The Service Centers performs validation functions to approve or 
reject server Certificate applications. 
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o the integrity of keys and SSL certificates it 

manages is established and protected throughout their life cycles; and 

o SSL subscriber information is properly authenticated (for the registration activities performed 
by CERTISIGN-CA) 

• Maintained effective controls to provide reasonable assurance that it meets the Network and System 
Security Requirements as set forth by the CA/Browser Forum. 

For the First Level CA (AC Certisign, Certisign Root CA and AC Imprensa Oficial SP), the Subordinate Root 
CA (AC BR RFB, AC Certisign Multipla, AC Certisign RFB, AC Certisign Solu<?oes Corporativas, AC 

Certisign SPB, AC Certisign Tempo, AC Certisign-JUS, AC FENANCON Certisign RFB, AC Imprensa Oficial, 
AC Imprensa Oficial SP RFB, AC Instituto Fenacon, AC tnstituto Fenacon RFB, AC Notarial RFB, AC OAB, 
AC PETROBRAS, AC PRODEMGE, AC PRODEMGE RFB, AC SINCOR, AC SINCOR RFB, AC SINCOR 
RIO RFB, Certisign Application CA, Certisign Email CA, Certisign SSL CA), the Corporate CA (AC 
Assembleias Online, AC BASF, AC Certisign Corporativa, AC Certisign Parceria, AC CertiSign VPN, AC 
Conecta Tecnologia, AC ICE CARD, AC PRODERJ, AC Raiz SEFAZ SP, AC SAT SEFAZ SP, AC VERTAX, 
Automated Administration, Automated Administration - G2, Automated Administration G2, Autoridade 
Certificadora Conecta Tecnologia, Autoridade Certificadora Imprensa Oficial SP, Autoridade Certificadora 
TIM, Banestes AC Raiz, Banestes Autoridade Certificadora, BASF SA AC, Brazilian Aeronautical Commission 
CA, Centro de Tecnologia da Inform, e Comunic. Do Estado do RJ, Certisign Automated Administration, 
CertiSign Autoridade Certificadora Classe 2, Certisign Class 1 Consumer Individual Subscriber CA - G2, 
Certisign Class 2 CA, Certisign Class 2 CA - G2, Certisign Class 2 Managed PKI Individual Subscriber CA - 
G2, Certisign Class 2 OnSite Individual Subscriber CA, Certisign Class 3 OnSite Enterprise Administrator CA, 
Certisign Class 3 OnSite Enterprise Administrator CA - G2, Certisign Class 3 OnSite Operational Administrator 
CA, Certisign Class 3 OnSite SCO Administrator CA, Certisign Class 3 Private MPKI Enterprise Administrator 
CA, Certisign Class 3 Private MPKI Operational Administrator CA, Certisign Class 3 Private MPKI SCO 
Administrator CA, Certisign Private Managed PKI Enterprise Administrator CA - G2, Certisign Private OCSP 
TEST CA, Certisign Private OnSite Enterprise Administrator CA, Certisign PRIVATE TEST CACertisign 
Timestamping CA, Certisign VPN, Certisign! PSec CA, Entidade Certificadora Globo CA - G2 and Entidade 
Certificadora TV Globo CA, Certisign Root CA, AC CAB RFB, Certisign Signature Services CA and AC EGBA 
Multipla based on the AICPA Trust Service Principles and Criteria for Certification Authorities, Version 2.0 
and SSL Baseline Requirements Audit Criteria, Version 1.1. 

CERTISIGN - CA’s management is responsible for its assertion. Our responsibility is to express an opinion on 
management’s assertion based on our examination. 

CERTISIGN - CA’s makes use of external registration authorities for specific subscriber registration activities 
as disclosed in CERTISIGN - CA’s business practice disclosures. Our examination did not extend to the controls 
exercised by the external registration authorities. 

Our examination was conducted in accordance with attestation standards established by the American Institute 
of Certified Public Accountants, and accordingly, included (1) obtaining an understanding of CERTISIGN - 
CA’s key and certificate life cycle management business practices and its controls over key and certificate 
integrity, over the authenticity and privacy of subscriber and relying party information, over the continuity of 
key and certificate life cycle management operations, and over the development, maintenance, and operation of 
systems integrity; (2) selectively testing transactions executed in accordance with disclosed key and certificate 
life cycle management business practices; (3) testing and evaluating the operating effectiveness of the controls; 
and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our 
examination provides a reasonable basis for our opinion. 
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The relative effectiveness and significance of specific controls at CERTISIGN - CA and their effect on 
assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls 
and other factors present at individual subscriber and relying party locations. We have performed no procedures 
to evaluate the effectiveness of controls at individual subscriber and relying party locations. 

Because of the nature and inherent limitations of controls, CERTISIGN - CA’s ability to meet the 
aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, 
fraud, unauthorized access to systems and information, or failure to comply with internal and external policies 
or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the 
risk that changes may alter the validity of such conclusions. 

In our opinion, for the period January 1 st , 2015 through December 31 st , 2015, CERTISIGN - CA management’s 
assertion, as set forth in the first paragraph, is fairly stated, in all material respects, based on the AICPA Trust 
Service Principles and Criteria for Certification Authorities. 

This report does not include any representation as to the quality of CERTISIGN - CA's services beyond those 
covered by the Trust Service Principles and Criteria for Certification Authorities nor the suitability of any of 
CERTISIGN - CA's services for any customer's intended purpose. 

24/01/2017 

Ernst & Young Auditores Independentes S.S. 

Rio de Janeiro - Brazil 


Francesco Bottino 
Partner 



